How to fix message on security vulnerability scan reports that the Bamboo application allows to transmission of Cleartext Credentials

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

 Some security vulnerability scan reports that the Bamboo application allows to transmission of Cleartext Credentials.

Diagnosis

The vulnerability scan sample report will be like the below:

Finding Name: Web Server Transmits Cleartext Credentials

Finding Description: The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext.

An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.

Cause

Although HTTPS is now activated and available, the old HTTP URLs (http://localhost:8085) are still available. Now you need to redirect the URLs to their HTTPS equivalent.

Solution 1: Redirect the URL to HTTPS

Solution 2: Remove the HTTP listener and access Bamboo via HTTPS

  • Please make sure you have secured with SSL using Tomcat. 
  • Remove the HTTP listener configuration and make sure the load-balancer, Base URL are updated accordingly  to use the HTTPS

(lightbulb) Adding the security constraint to redirect all URLs to HTTPS will redirect your HTTP 8085 requests and mitigate your scanner report.


Last modified on Apr 13, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.